Synack initially reported two information disclosure vulnerabilities to Grindr in March 2014. On August 16, 2014 exploit details of one of the two reported vulnerabilities were published on Pastebin by an anonymous individual that independently identified the vulnerability in the Grindr app. The other vulnerability has been silently patched by Grindr. During Synack’s research, several other issues were uncovered that are not vulnerabilities but have security implications.

As the unpatched vulnerability is now public and there are unconfirmed reports of gay individuals being identified by the Egyptian police using this vulnerability, Synack is publishing the following Security Advisory to ensure Grindr users are fully informed of their risk and the impact of this issue to their privacy and physical safety.

Summary:

Synack researchers discovered two vulnerabilities allowing an attacker to monitor essentially all Grindr user’s locations in real-time. The first vulnerability allows an attacker to view a user’s relative location down to the to the foot, as well as track their movement over time. This is problematic, as such a high level of precision should not be granted to an anonymous attacker. The second vulnerability identified within the Grindr app would continue to broadcast a user’s location even when the user opted out of location-sharing in the application’s setting.

A proof of concept was developed to demonstrate the capability at a city-scale level; through data analysis was possible to determine users’ identities as well as discover pattern of life (home and work locations). It should be noted that the attacker can interact anonymously with the server-side API; downloading the app or creating a user account is not required for several if not all of the APIs.

When combined with other profile information such as a user profile picture, social media linked to a Grindr account and other user supplied information, a user’s (possibly masked) identity can easily be revealed. This is highly problematic for Grindr users that wish to keep their home or work location or personal identity private, only choosing to use the Grindr application at specific times.

During vulnerability research and disclosure no individual Grindr users were intentionally or unintentionally identified. All data logged has been irrecoverably destroyed. The purpose of this research was not to identify Grindr users but to help protect those that wish to remain private.

Grindr is a popular social networking application for gay and bisexual men, with a self-reported four million accounts in 192 countries.

CVE ID: None assigned.

The scope of CVE is limited to software problems that can be fixed on the computers or devices controlled by customers. In this case the vulnerability exists because central Grindr servers are providing data that can be used in trilateration attacks. Addressing this vulnerability requires changing Grindr servers and/or system architecture.

CVSS: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products:

Grindr for iOS

Grindr for Android

Grindr for BlackBerry

Technical Details:

Vulnerability 1: Grindr allows users to view how far away they are from other users. Unfortunately, this relative location data is always reported to the highest possible precision, (often down to the sub-foot level of accuracy). An attacker can manipulate the Grindr private API to reveal a user’s distance relative to arbitrary coordinates supplied by the attacker. Due to a lack of API rate limiting, the attacker can use an iterative approach and leverage standard trilateration algorithms to calculate a user’s precise location coordinates in real-time.

Grindr has released a statement indicating this is not a vulnerability but a feature of their application.

Vulnerability 2: The Grindr app broadcast user location data even when a user opted out of sharing in the application settings. This location data was not exposed visually to other Grindr users but was still transmitted, allowing an attacker to track (via vulnerability #1) any user. As this vulnerability was silently patched by Grindr in May 2014, users’ that opt out of sharing their location can no longer be tracked.

Synack researchers also uncovered additional issues that may have security implications. While these are not vulnerabilities, in conjunction with the first vulnerability above they may further undermine the privacy of the Grindr users.

1. The user’s exact location is reported to Grindr’s servers, even when “show distance” is disabled by the user. While sharing one’s location is essential to the functionality of the app (and is done over SSL), reporting this data to such a high level of precision to a third party (i.e. Grindr) may be a privacy concern for users.

2. The iOS Grindr app does not pin SSL certificates. SSL pinning is an extra layer of security that ensures a client will only communicate with a well-defined set of servers. Since the Grindr iOS app does not use SSL pinning, a man-in-the-middle attack could occur. If an attacker has a compromised root certificate, or can coerce a user to install a certificate (for example by emailing the user with an attached certificate) the connection can be hijacked and the user’s exact location can be revealed.

Recommendations:

Synack recommends that Grindr customers delete and stop use of the Grindr app until the vendor has addressed the first vulnerability detailed in this advisory.

Mitigations: none

Workarounds: Turn off location services “show distance” for the Grindr app. Note that this will have an impact on application usability given the purpose of the application and will not wholly eliminate the risk of information disclosure as the user’s precise location is still being transmitted to Grindr and the user will show as a ‘nearby’ user to others.

References:

Credit: The initial vulnerabilities were identified by Colby Moore. Ongoing research and the discovery of subsequent issues was performed in conjunction with Patrick Wardle. Both Colby and Patrick are Synack employees.

Disclosure Timeline:

March 6, 2014 – First Disclosure to Vendor: no reply

March 23, 2014 – Second Disclosure to Vendor

March 24, 2014 – Vendor response

March 25, 2014 – Conference call with Vendor

March 31, 2014 – Full technical writeup and POC sent to vendor: no reply

April 10, 2014 – Status update requested from vendor

April 15, 2014 – Limited response received from vendor

April 24, 2014 – Status update requested from vendor

April 25, 2014 – Status update received from vendor with estimated fix date of 09May14

September 5, 2014 – Synack Security Research Advisory SSRA-2014-001 published

​About Synack:

Synack allows enterprises to harness elite researchers employing the most current techniques in a trusted, verified model to prevent security vulnerabilities from becoming business risks. Synack’s solution is the dynamic, on-demand component of your security plan.